When Apple pushed their most recent security update, the first thing we checked was whether the ARDAgent issue was fixed. It’s not. This vulnerability lets anyone execute code as a privileged user and versions of this attack have already been found in the wild. While several Ruby, SMB, and WebKit issues were addressed it, ARDAgent is still unpatched. [Dino Dai Zovi] has published the method by which ARDAgent actually becomes vulnerable: when it starts, it installs its own Apple Event handlers and calls AESetInteractionAllowed() with kAEInteractWithSelf. This should restrict it only to its own events, but for some reason that’s not the resulting behavior. He also pointed out that SecurityAgent has displayed similar weirdness; it is vulnerable to Apple Events even though it doesn’t calls an Apple Events function. We can see how this unexpected behavior could make patch development take much longer and may end up uncovering an even bigger problem. Check out [Dino]’s post for more information.
One thought on “ARDAgent.app Still Vulnerable”
Leave a Reply
Please be kind and respectful to help make the comments section excellent. (Comment Policy)
MAC;PC? Whats the difference? Steve and Bill should have been nicer to the public.for their greediness
every one must suffer. I hope they both burn.%)
BURN! BABY BURN! OPEN SOURCE!!
Even the hackers quit!